Sometimes assigning Full Access permissions in Exchange is not possible due to company security policy. So we need a flexible way to set ApplicationImpersonation permission for connecting user to cover a specific list of users (synchronized mailboxes) in Exchange.


MS Exchange allows more fine-grained with help of ApplicationImpersonation role and customizable Management Scopes. It is possible to manage the list of users with help of Exchange Distribution Groups. So if synchronization should be enabled/disabled for a specific user then it should be added/removed from the execution group correspondingly.

Step 1: Add Distribution Group

Add distribution group to contain users for sync:

Here we create a group named crmAEsync. We will need this group later.

Step 2: Add Users Belonging to the Group

Right click on the group and choose Properties…:

Switch to Memebers tab and choose Add:

Add users:

Step 3: Configure ManagementScope

Now you need to use Exchange Management Shell:

Here is the script that should be executed.

$groupidentity = $(Get-DistributionGroup crmAEsync).Identity.DistinguishedName
New-ManagementScope –Name:"CRMSyncScope" –RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"
New-ManagementRoleAssignment –Name:"CRMSyncRole" –Role:ApplicationImpersonation –User:<username> –CustomRecipientWriteScope:"CRMSyncScope"

Where <username> is login name of user connecting to CRM. This user will be able to impersonate everyone from the distribution group.